b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n       PROGRESS IN IMPLEMENTING\n          HOMELAND SECURITY\n       PRESIDENTIAL DIRECTIVE 12\n\n\n\n    July 2007          A-14-07-27110\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                      SOCIAL SECURITY\nMEMORANDUM\n\nDate:   July 26, 2007                                                     Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: TheSocial Security Administration\xe2\x80\x99s Progress in Implementing Homeland Security\n        Presidential Directive 12 (A-14-07-27110)\n\n\n        OBJECTIVE\n        Our objective was to determine the Social Security Administration\xe2\x80\x99s (SSA) progress in\n        implementing Homeland Security Presidential Directive (HSPD) 12 as of\n        October 27, 2006.\n\n        BACKGROUND\n        On August 27, 2004, the President of the United States signed HSPD-12, Policy for a\n        Common Identification Standard for Federal Employees and Contractors. HSPD-12\n        directed the promulgation of a Federal standard for a secure and reliable form of\n        identification for Federal employees and contractors.\n\n        To assist in the implementation of HSPD-12, the National Institute of Standards and\n        Technology (NIST) issued Federal Information Processing Standard (FIPS) Publication\n        (PUB) 201. 1 FIPS PUB 201-1, Personal Identity Verification (PIV) of Federal\n        Employees and Contractors, provides guidance that executive departments and\n        agencies are to use to implement HSPD-12. FIPS PUB 201-1 (the \xe2\x80\x9cStandard\xe2\x80\x9d) is to be\n        implemented in two parts. Part-I addresses control and security objectives and Part-II\n        addresses the technical components and processes that support a common smart card-\n        based platform.\n\n\n\n\n        1\n         FIPS PUB 201, PIV of Federal Employees and Contractors, was amended in March and June of 2006.\n        After the March 2006 amendment, the publication reference number became 201-1.\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\n\nThe Office of Management and Budget (OMB) issued Memorandum M-05-24 on\nAugust 5, 2005. 2 M-05-24 provides implementing instructions and timelines for\nadditional actions that Federal departments and agencies need to complete for\nHSPD-12 by certain specified dates. For example, the Memorandum indicates that all\ncovered Federal Departments and agencies must:\n\n      \xe2\x80\xa2   adopt and accredit a registration process consistent with FIPS PUB 201 identity\n          proofing, registration and accreditation requirements for new Agency employees,\n          contractors and other applicable individuals by October 27, 2005; 3\n\n      \xe2\x80\xa2   begin deploying products and operational systems by October 27, 2006, to issue\n          and require the use of identity credentials for all new employees and contractors,\n          compliant with Part 1 and Part 2 of the Standard. For current employees and\n          contractor personnel, phase in issuance and use of identity credentials meeting\n          the Standard no later than October 27, 2007; 4\n\n      \xe2\x80\xa2   plan for and begin background investigations for all current employees with\n          15 years or less Federal service and current contractor personnel who do not\n          have an initiated or successfully adjudicated investigation on record. Verification\n          and/or completion of background investigations for all current employees are\n          required by October 27, 2007, as is the phase-in of a plan and initiation of\n          investigations for all current contractors; 5 and\n\n      \xe2\x80\xa2   complete new background investigations, commensurate with risk, for all\n          Department or agency employees with over 15 years Federal service no later\n          than October 27, 2008. 6\n\nFIPS PUB 201-1 indicates that all departments and Agencies shall implement the\nPersonal Identity Verification (PIV) system in accordance with the spirit and letter of all\nprivacy controls specified in that standard as well as those specified in Federal privacy\n\n\n\n\n2\n  OMB Memorandum M-05-024, Implementation of Homeland Security Presidential Directive 12 - Policy\nfor a Common Identification Standard for Federal Employees and Contractors.\n3\n    OMB, Memorandum M-05-24, Attachment A \xc2\xa7 3.A., p. 5.\n4\n    OMB, supra, \xc2\xa7 4, p. 6.\n\n5\n    OMB, supra, \xc2\xa7 3.D and 3.E., p. 6.\n\n6\n    OMB, supra, \xc2\xa7 3.D, p. 6.\n\x0cPage 3 \xe2\x80\x93 The Commissioner\n\n\nlaws and policies, including but not limited to the E-Government Act of 2002 7 (E-Gov),\nthe Privacy Act of 1974, 8 and OMB Memorandum M-03-22, 9 as applicable. 10\n\nRESULTS OF AUDIT\n\nSSA had implemented a number of important OMB and FIPS PUB 201-1 requirements\nfor HSPD-12 as of October 27, 2006. For example, SSA:\n\n       \xe2\x80\xa2   Created and used an HSPD-12 identity proofing, registration and issuance\n           process for new Agency employees hired at its Headquarters (HQ) complex.\n       \xe2\x80\xa2   Issued 13 PIV II credentials before the OMB mandated target date.\n       \xe2\x80\xa2   Formulated and executed a plan to help ensure that SSA employees have an\n           appropriate background investigation either initiated or on file.\n       \xe2\x80\xa2   Filed the required notices and took appropriate actions needed to address\n           HSPD-12 privacy and security requirements involving the protection of\n           Personally Identifiable Information in the development of a new system of\n           records.\n\nHowever, SSA needs to address the following areas:\n\n      \xe2\x80\xa2    SSA\xe2\x80\x99s HSPD-12 identity proofing, registration, and issuance process was not\n           implemented nationwide.\n      \xe2\x80\xa2    SSA contractor personnel hired during the period of October 27, 2005 through\n           October 27, 2006 were not processed using the SSA HSPD-12 identity proofing\n           and registration protocol.\n      \xe2\x80\xa2    The General Services Administration (GSA) found that SSA credentials were not\n           fully compliant with technical requirements.\n      \xe2\x80\xa2    The infrastructure needed to support the use of the credentials issued was not in\n           place due to GSA delays.\n\n\n\n\n7\n    44 U.S.C. ch. 36.\n8\n    5 U.S.C. \xc2\xa7 552a.\n9\n OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002,\nSeptember 26, 2003.\n10\n   U.S. Department of Commerce, Federal Information Processing Standard (FIPS) 201-1, Section 2.4,\np. 7, March 2006.\n\x0cPage 4 \xe2\x80\x93 The Commissioner\n\n\nTHE SSA PERSONAL IDENTITY PROOFING, REGISTRATION, AND ISSUANCE\nPROCESS WAS NOT IMPLEMENTED NATIONWIDE\n\nThe personal identity proofing, registration and issuance process adopted by SSA was\nnot implemented nationwide. Therefore, new SSA employees hired outside of the HQ\ncomplex were not processed in accordance with SSA\xe2\x80\x99s HSPD-12 personal identity\nproofing and registration protocol. As a result, SSA may not have achieved HSPD-12\nobjectives to enhance security and increase Government efficiency with respect to\nemployees hired outside the HQ complex during the review period of October 27, 2005\nto October 26, 2006. FIPS PUB 201-1 11 requires the adoption and use of an HSPD-12\nidentity proofing and registration process that satisfies Part 1 PIV I control and security\nobjectives (for details see report Appendix B-2, Section titled Control Objectives for\nHSPD-12).\n\nAccording to Agency management, the scarcity of resources and tight time constraints\nlimited implementation of a compliant HSPD-12 standard personal identity verification\nsystem. SSA needs to expand this process nationwide for all new employees.\n\nNEW CONTRACTOR PERSONNEL WERE NOT PROCESSED USING THE SSA\nHSPD-12 IDENTITY PROOFING AND REGISTRATION PROTOCOL\n\nNew contractor personnel hired during the review period of October 27, 2005 to\nOctober 26, 2006 were not processed in accordance with the required SSA HSPD-12\nidentity proofing and registration protocol. As a result, SSA may not have achieved\nHSPD-12 objectives to enhance security and increase Government efficiency with\nrespect to new contractor personnel hired. FIPS PUB 201-1 12 requires the adoption\nand use of an HSPD-12 identity proofing and registration process that satisfy Part 1 PIV\nI control objectives (for details see Appendix B-2, Section titled Control Objectives for\nHSPD-12).\n\nAccording to SSA management, formal guidance was not initially available in the review\nperiod that would have enabled the Agency to develop a process that would meet\nHSPD-12 contractor personnel processing requirements. GSA, in November 2006,\nissued a new Federal Acquisition Regulations Clause 13 that addressed HSPD-12\ncompliance. SSA needs to modify future contract language where appropriate and use\nHSPD-12 identity proofing and registration protocol to process new SSA contractor\npersonnel.\n\n\n\n11\n  FIPS 201-1, supra, Section 2.2 requires the adoption and use of an approved HSPD-12 identity\nproofing and registration process, to satisfy PIV I control objectives (for details see report Appendix B-2\nSection titled Control Objectives for HSDP-12).\n12\n     Id.\n13\n  Federal Acquisition Regulations subpart 52.2 Text of Provisions and Clauses, 52.204-9 Personal\nIdentity Verification of Contractor Personnel, (November 2006).\n\x0cPage 5 \xe2\x80\x93 The Commissioner\n\n\nPIV II CREDENTIALS ISSUED WERE NOT CERTIFIED AND INFRASTRUCTURE\nWAS NOT IN PLACE\n\nSSA issued thirteen PIV II credentials prior to the mandated target date for beginning to\ndeploy such products. However, those credentials were not certified by GSA as\nmeeting FIPS PUB 201-1 credential technical requirements. 14 Additionally, the\ninfrastructure necessary to support the use of the issued credentials was not in place.\nTherefore, while SSA demonstrated the ability to issue a PIV credential, the credential\nissued did not fully meet HSPD-12 credential technical requirements. OMB\nMemorandum M-05-24 requires implementation of Part 2 of the Standard by mandating\nthat by October 27, 2006, all Federal departments and agencies begin deploying\nproducts and operational systems meeting certain requirements, including issuing and\nrequiring the use of identity credentials for all new employees and contactors, compliant\nwith Parts 1 and Part 2 of the Standard. 15 Further, OMB Memorandum M-07-06\nrequires that all agencies must provide to GSA, by January 19, 2007, a credential with\ntheir agency\xe2\x80\x99s standard configuration for testing to ensure that the agency credential\nmeets FIPS 201-1 requirements. 16\n\nSSA submitted its HSPD-12 credential to GSA in November 2006 for compliance\ntesting. The results of the November 2006 test were mixed. The SSA credential\npassed some tests and failed others. SSA management stated that it will resubmit the\ncredential for additional compliance testing when the areas where the credential failed\nhave been addressed.\n\nSSA management also stated that the completion of the SSA HSPD-12 infrastructure is\ndependent upon GSA\xe2\x80\x99s acquisition of the hardware security module and the card\nmanagement system. When these elements become available, SSA will be able to\nimplement the infrastructure needed to support the use of a compliant HSPD-12\ncredential nationwide.\n\nSSA should obtain GSA certification for the credential it plans to use to meet HSPD-12\ntechnical operability requirements and when available, implement the infrastructure\nneeded to support the use of Part 2 compliant credentials.\n\n\n\n\n14\n  FIPS 201-1, supra, Part 2: PIV-II, provides detailed information as to the technical functional\nrequirements that the PIV II credential needs to meet (see Sections 4.1 through 4.5.3, pages 15-37).\n15\n     OMB, supra, \xc2\xa7 4, p. 6.\n16\n     OMB Memorandum M-07-06, \xc2\xa7 1.\n\x0cPage 6 \xe2\x80\x93 The Commissioner\n\n\nCONCLUSIONS AND RECOMMENDATIONS\nSSA had implemented a number of important OMB and FIPS PUB 201-1 requirements\nfor HSPD-12 as of October 27, 2006. For example, SSA created and used an HSPD-12\nidentity proofing, registration and issuance process for new Agency employees at its HQ\ncomplex; issued 13 PIV II credentials before the OMB mandated target date; formulated\nand executed a plan to help ensure SSA employees have an appropriate background\ninvestigation initiated or on file; and filed the required notices and took appropriate\nactions needed to address HSPD-12 privacy and security requirements involving the\nprotection of Personally Identifiable Information in the development of a new system of\nrecords.\n\nHowever, SSA still needs to: implement an HSPD-12 identity proofing, registration, and\nissuance process nationwide and use it to process new SSA employees and contractor\npersonnel; issue a credential that has been certified by NIST as having met Part 2 PIV II\ncredential technical requirements and implement the infrastructure needed to support\nthe use of a compliant credential.\n\nWe recommend SSA:\n\n1. Implement the HSPD-12 identity proofing, registration and issuance process\n   nationwide for all new SSA employees and contractor personnel.\n\n2. Ensure contract language is HSPD-12 compliant where appropriate.\n\n3. Issue credentials certified by GSA as having met Part 2 PIV II credential technical\n   requirements.\n\n4. When available, implement the necessary infrastructure that will support and control\n   the use of a compliant credential.\n\nAGENCY COMMENTS\nSSA agreed to implement our recommendations. The Agency added that it could\nnot comply with our recommendations in the past due to conditions outlined in the full\ntext of its comments shown in Appendix E. However, SSA plans to implement each of\nthe OIG recommendations in the future.\n\n\n\n\n                                                Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Background\n\nAPPENDIX C \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX D \xe2\x80\x93 Sampling Methodology and Results\n\nAPPENDIX E \xe2\x80\x93 Agency Comments\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                          Appendix A\n\nAcronyms\nE-GOV      Electronic Government\nFBI        Federal Bureau of Investigation\nFIPS PUB   Federal Information Processing Standards Publication\nGSA        General Services Administration\nHQ         Headquarters\nHSPD       Homeland Security Presidential Directive\nNACI       National Agency Check with Written Inquiries\nNIST       National Institute of Standards and Technology\nOMB        Office of Management and Budget\nPIA        Privacy Impact Assessment\nPIV        Personal Identity Verification\nSSA        Social Security Administration\n\x0c                                                                       Appendix B\n\nBackground\nOn August 27, 2004, the President of the United States signed Homeland Security\nPresidential Directive (HSPD) 12, Policy for a Common Identification Standard for\nFederal Employees and Contractors (the Directive). HSPD-12 directed the\npromulgation of a mandatory Federal Government-wide standard for secure and reliable\nforms of identification for Federal employees and contractors (including contractor\nemployees).\n\nTo aid in the implementation of HSPD-12, the National Institute of Standards and\nTechnology (NIST) issued Federal Information Processing Standard (FIPS) Publication\n(PUB) 201-1, Personal Identity Verification (PIV) of Federal Employees and\nContractors. FIPS PUB 201-1 provides guidance that executive departments and\nagencies are to use to implement HSPD-12.\n\nFIPS PUB 201-1 contains 2 parts. Part 1 addresses control and security objectives of\nthe Directive that have a mandated implementation date of October 27, 2005. Part 1\nrequires the adoption and accreditation of personal identity proofing, registration, and\nissuance and maintenance process for new employees and contractor personnel.\nPart 2 addresses the technical components and processes that support a common\nsmart card-based platform for identity authentication across Federal Departments and\nagencies for access to federally controlled physical and logical environments.\nImplementation of Part 2 requirements is mandated as of October 27, 2006.\n\nThe Office of Management and Budget (OMB) issued Memorandum M-05-24 on\nAugust 5, 2005. M-05-24 provides implementing instructions and timelines for\nadditional actions that Federal Departments and agencies should complete for the\nDirective. For example, the Social Security Administration (SSA) is required to comply\nwith the implementation timeframes set forth below:\n\n                 AGENCY REQUIRED MILESTONES AND ACTIONS\n          Date                                   Agency Action\n6/27/05                 Implementation plans submitted to OMB\n8/26/05                 Provide list of other potential uses of the Standard\n10/27/05                Comply with FIPS PUB 201, Part 1\n10/27/06                Begin compliance with FIPS PUB 201-1, Part 2\n10/27/07                Verify and/or complete background investigations for all current\n                        employees and contractor personnel\n10/27/08                Complete new background investigations, commensurate with\n                        risk, for all Federal agency employees who have over 15 years\n                        service time\n\n                                         B-1\n\x0cCONTROL OBJECTIVES OF HSPD-12\n\nFor purposes of HSPD-12, \xe2\x80\x9c\xe2\x80\xa6secure and reliable forms of identification\xe2\x80\xa6\xe2\x80\x9d for Federal\nemployees and contractors means identification that (a) is issued based on sound\ncriteria for verifying an individual employee\xe2\x80\x99s identity; (b) is strongly resistant to identity\nfraud, tampering, counterfeiting and terrorist exploitation; (c) can be rapidly\nauthenticated electronically; and (d) is issued only by providers whose reliability has\nbeen established by an official accreditation process. 1\n\nEach agency\xe2\x80\x99s PIV-I implementation shall meet the above referenced four HSPD-12\ncontrol objectives by ensuring that credentials are issued 1) to individuals whose true\nidentity has been verified and 2) after a proper authority has authorized issuance of the\ncredential. Further, 3) only an individual with a background investigation on record is\nissued a credential; 4) an individual is issued a credential only after presenting two\nidentity source documents, at least one of which is a valid Federal or State government\nissued picture ID; 5) fraudulent identity source documents are not accepted as genuine 2\nand unaltered; 6) a person suspected or known to the government as being a terrorist is\nnot issued a credential; 7) no substitution occurs in the identity proofing process. More\nspecifically, the individual who appears for identity proofing, and whose fingerprints are\nchecked against databases, is the person to whom the credential is issued; 8) no\ncredential is issued unless requested by proper authority; 9) a credential remains\nserviceable only up to its expiration date and that a revocation process exists such that\nexpired or invalidated credentials are swiftly revoked; 10) a single corrupt official in the\nprocess may not issue a credential with an incorrect identity or to a person not entitled\nto the credential; and 11) an issued credential is not modified, duplicated, or forged. 3\n\nPIV IDENTITY PROOFING AND REGISTRATION REQUIREMENTS\n\nDepartments and agencies are required to follow an identity proofing and registration\nprocess that meets the following requirements when issuing identity credentials: 4\n\n      \xe2\x80\xa2   The organization shall adopt and use an approved identity proofing and\n          registration process.\n      \xe2\x80\xa2   The process shall begin with initiation of a National Agency Check with Written\n          Inquiries (NACI), or other Office of Personnel Management or National Security\n          community investigation required for Federal employment. This requirement may\n          also be satisfied by locating and referencing a completed and successfully\n\n\n\n\n1\n    Homeland Security Presidential Directive/HSPD-12, \xc2\xa7 (3), August 27, 2004.\n2\n  FIPS, supra, \xc2\xa7 2.2 requires the adoption and use of an approved HSPD-12 identity proofing and\nregistration process, in order to satisfy PIV 1 control objectives.\n3\n    FIPS, supra, \xc2\xa7 2.1, page 5.\n4\n    FIPS, supra, \xc2\xa7 2.2, pages 5-6.\n                                                  B-2\n\x0c          adjudicated NACI. At a minimum, the Federal Bureau of Investigation (FBI)\n          National Criminal History Check (fingerprint check) shall be completed before\n          credential issuance. 5\n      \xe2\x80\xa2   The applicant must appear in-person at least once before the issuance of a PIV\n          credential.\n      \xe2\x80\xa2   During identity proofing, the applicant shall be required to provide two forms of\n          identity source documents in original form. The identity source documents must\n          come from the list of acceptable documents included in Form I-9, OMB No. 1115-\n          0136, Employer Eligibility Verification. At least one document shall be a valid\n          State or Federal government-issued picture identification (ID).\n      \xe2\x80\xa2   The PIV identity proofing, registration and issuance process shall adhere to the\n          principal of separation of duties to ensure that no single individual has the\n          capability to issue a PIV credential without the cooperation of another authorized\n          person.\n\nPIV PRIVACY REQUIREMENTS\n\nTo ensure the privacy of applicants, departments and agencies shall: 6\n\n      \xe2\x80\xa2   Assign a senior agency official for privacy. The senior agency official for privacy\n          is the individual who oversees privacy-related matters in the PIV system and is\n          responsible for implementing the privacy requirements in the standard. The\n          person serving in this role cannot assume any other operational role in the PIV\n          system.\n      \xe2\x80\xa2   Conduct a comprehensive Privacy Impact Assessment (PIA) on systems\n          containing personal information in identifiable form for the purpose of\n          implementing PIV, consistent with the E-Government Act of 2002 7 and OMB\n          Memorandum M-03-22. Consult with appropriate personnel responsible for\n          privacy issues at the department or agency (e.g., Chief Information Officer)\n          implementing the PIV system.\n      \xe2\x80\xa2   Write, publish, and maintain a clear and comprehensive document listing the\n          types of information that will be collected, the purpose of the collection, what\n          information may be disclosed to whom during the life of the credential, how the\n          information will be protected, and the complete set of uses of the credential and\n          related information at the department or agency. PIV applicants shall be\n          provided full disclosure of the intended uses of the PIV and the related privacy\n          implications.\n\n\n\n\n5\n  OMB Memorandum M-05-24 footnote 6, on page 5, indicates that section 2.2 of the Standard has been\nrevised to clarify for the initial credential issuance, that only the fingerprint check must be completed.\n6\n    FIPS, supra, \xc2\xa7 2.4, p. 7-8.\n7\n    Pub. L. 107-347, 116 Stat. 2899.\n                                                 B-3\n\x0c      \xe2\x80\xa2   Assure that systems that contain Information in Identifiable Form for the purpose\n          of enabling the implementation of PIV are handled in full compliance with fair\n          information practices as defined in the Privacy Act of 1974. 8\n      \xe2\x80\xa2   Maintain appeals procedures for those who are denied a credential or whose\n          credentials are revoked.\n      \xe2\x80\xa2   Ensure that only personnel with a legitimate need for access to Information in\n          Identifiable Form in the PIV system are authorized to access the Information in\n          Identifiable Form including but not limited to information and databases\n          maintained for registration and credential issuance.\n      \xe2\x80\xa2   Coordinate with appropriate department or agency officials to define\n          consequences for violating privacy policies of the PIV system.\n      \xe2\x80\xa2   Assure that the technologies used in the department or agency\xe2\x80\x99s implementation\n          of the PIV system allow for continuous auditing of compliance with stated privacy\n          policies and practices governing the collection, use, and distribution of\n          information in the operation of the program.\n      \xe2\x80\xa2   Utilize security controls described in NIST Special Publication 800-53,\n          Recommended Security Controls for Federal Information Systems, to accomplish\n          privacy goals, where applicable.\n      \xe2\x80\xa2   Ensure that the technologies used to implement PIV sustain and do not erode\n          privacy protections relating to the use, collection, and disclosure of information in\n          identifiable form. Specifically, employ an electromagnetically opaque sleeve or\n          other technology to protect against any unauthorized contactless access to\n          information stored on a PIV credential.\n\n\n\n\n8\n    5 U.S.C. \xc2\xa7 552a, as amended.\n                                             B-4\n\x0c                                                                    Appendix C\n\nScope and Methodology\nTo determine the progress that the Social Security Administration (SSA) has made in\nimplementing Homeland Security Presidential Directive (HSPD) 12 as of\nOctober 27, 2006, we:\n\n   \xe2\x80\xa2   Reviewed applicable laws, regulations and guidance pertaining to HSPD-12.\n\n   \xe2\x80\xa2   Reviewed Agency policies and procedures that were used in implementing\n       HSPD-12 requirements.\n\n   \xe2\x80\xa2   Interviewed appropriate SSA personnel and examined relevant documentation.\n\n   \xe2\x80\xa2   Observed the HSPD-12 credentialing process at the Headquarters\xe2\x80\x99 complex.\n\n   \xe2\x80\xa2   Conducted a random sample of SSA new hires in the Baltimore metropolitan\n       area during the period of October 27, 2005 through October 26, 2006.\n\n   \xe2\x80\xa2   Discussed our preliminary results with Agency management responsible for the\n       implementation of HSPD-12.\n\nTo meet our objective, we interviewed management and key staff within the SSA Office\nof Protective Security Services, and Office of Personnel components located at the\nOffice of Central Operations, the Office of Disability Adjudication and Review, and SSA\nHeadquarters\xe2\x80\x99 complex. We also observed the process used by the SSA Headquarters\xe2\x80\x99\ncomplex Parking and Badging Office to issue badges to Headquarters new hires during\nthe period of October 27, 2005 to October 26, 2006. Our field work was performed from\nOctober 2006 through February 2007. This audit was performed in accordance with\ngenerally accepted government auditing standards. The review period was\nOctober 27, 2005 through October 26, 2006.\n\x0c                                                                                 Appendix D\n\nSampling Methodology and Results\nWe selected a random statistical sample of SSA personnel who were hired in the\nBaltimore metropolitan area during the period of October 27, 2005 through\nOctober 26, 2006. We randomly selected 50 individuals from a population of\n698 individuals hired during that time. Our objective was to determine if the SSA\nidentity proofing, registration and issuance process in place met HSPD-12\nrequirements.\n\nAn approved SSA HSPD-12 identity proofing, registration, and issuance process was in\nplace for 21 1 of the 50 individuals sampled. For the remaining 28 individuals, an SSA\nHSPD-12 identity proofing, registration, and issuance process was not implemented\nAgency-wide. Through our sample results and interviews with SSA managers, we\ndetermined SSA had implemented an HSPD-12 process for 21 individuals who were\nhired for Headquarters positions. The results are presented in the following table.\n\n                           Applicant     FBI            Background        Two Forms       PIV\nLocation           Total   Appeared      Fingerprint    Investigation     of OMB I-9      Request\n                           In-person     Check          Completed,        Documents       Checklist\n                           Before        Completed      Scheduled,        Obtained        Completed\n                           Badge                        not Needed,\n                           Issued                       or in\n                                                        Process\n\n                                          Headquarters\n                    22          19          21          21                     19              19\n                                        Non-Headquarters\nOffice of           21          21          21          20                     19              0\nCentral\nOperations\nOffice of            6          6              6               6                5              0\nDisability\nAdjudication\nand Review\nNational             1          1              1               1                1              0\nComputer\nCenter\nTotal               50          47            49              48               44              19\n\n\n\n\n1\n One individual hired at the SSA Headquarters complex was a member of the SSA Board of Trustees.\nAs such, this individual would have no need to access SSA controlled facilities or system resources.\n\x0c                  Appendix E\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\nMEMORANDUM\n\nDate:      July 6, 2007                                                          Refer To:   S1J-3\n\nTo:        Patrick P. O'Carroll, Jr.\n           Inspector General\n\nFrom:      David V. Foster (David A. Rust /s/ for)\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cThe Social Security Administration\xe2\x80\x99s\n           Progress in Implementing Homeland Security Presidential Directive-12\xe2\x80\x9d\n           (A-14-07-27110)--INFORMATION\n\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report content\n           and recommendations are attached.\n\n           Please let me know if we can be of further assistance. Staff inquiries may be directed to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n                                                         E-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cSOCIAL SECURITY ADMINISTRATION'S PROGRESS IN IMPLEMENTING\nHOMELAND SECURITY PRESIDENTIAL DIRECTIVE-12\xe2\x80\x9d\n(A-14-07-27110)\n\nThank you for the opportunity to review and comment on the draft report. We appreciate your\nconducting this audit of the Social Security Administration\xe2\x80\x99s (SSA) progress in implementing\nHomeland Security Presidential Directive (HSPD)-12 for the period October 27, 2005 through\nOctober 2006.\n\nRecommendation 1\n\nSSA should implement the HSPD-12 identity proofing, registration and issuance process\nnationwide for all new SSA employees and contractor personnel.\n\nComment\n\nWe partially agree with this recommendation for the study period. On December 15, 2005, the\nOffice of Management and Budget (OMB) accepted SSA's HSPD-12 implementation plan\ntemplate, which specified that the Agency would implement an HSPD-12 compliant personal\nidentity verification system in phases, beginning with Headquarters employees and contractors.\nSSA is implementing that plan and has also begun the process to include employees who work in\na field office (FO) facility where a badge is currently required.\n\nAlso, we began partially processing Agency new hires across the country under the Federal\nInformation Processing Standards (FIPS) 201 guidelines. Specifically, we began conducting the\nFederal Bureau of Investigation (FBI) Criminal History Check (fingerprint check) before the new\nhires entered on duty (EOD) starting October, 2005, rather than after their EOD date.\nPreviously, the FBI fingerprint check was not conducted until after the new hires EOD, which\nresulted in new hires being found to be unsuitable after EOD. The various regional servicing\npersonnel offices also performed other checks based on guidance from SSA's Office of\nPersonnel. Thus, SSA did take advantage of the new HSPD-12 process to screen new hires\nbefore bringing them on board. This part of our hiring process meets the directive.\n\nWe did not issue the building access badges according to the FIPS 201 separation-of-duties\nprocess in regional locations where such access badges are used. We did not attempt this,\nbecause we lacked the resources to train the regions and large sites on the process and to\nproperly oversee implementation. It should be noted that most SSA FO employees do not\nreceive building access badges. These badges are primarily issued in the larger SSA sites (e.g.,\nregional offices, Program Service Centers, large Teleservice Centers and the Wilkes-Barre Data\nOperation Center). Since the vast majority of FO employees do not have badges, that part of\nFIPS 201 and OMB guidance did not apply to them for the study period.\n\nOctober 2008 is our deadline for meeting this objective. We expect this deadline to be met.\n\n\n\n\n                                               E-2\n\x0cRecommendation 2\n\nSSA should ensure contract language is HSPD-12 compliant where appropriate.\n\nComment\n\nWe partially agree with this recommendation. During the study period, SSA did perform\nbackground checks on contractors, something not generally required for contractors prior to the\nsigning of HSPD-12. We have performed such checks for about 20 years, putting us far ahead of\nmost Federal agencies. SSA's Office of Acquisition and Grants already includes Federal\nAcquisition Regulation (FAR) 52.204-9, Personal Identity Verification of Contractor Personnel,\nin all applicable new contracts. During the study period, the General Services Administration\n(GSA) had not included language in the FAR to implement the requirements of HSPD-12. That\nFAR clause was not issued until after the study period. The Agency is working to revise the\nSecurity Requirements Clause to reflect that the new FAR language is in existing contracts.\n\nRecommendation 3\n\nSSA should issue credentials certified by GSA as having met Part 2 Personal Identity\nVerification (PIV) II credential technical requirements.\n\nComment\n\nWe agree with the recommendation, but we disagree with the rationale for making it based on\nthe study period. We believe the problem with the initial testing of our credential was due to a\nflawed GSA testing process and not due to our card. The card we procured, and all the programs\nneeded to issue the credentials stored in the card, came from the GSA Approved Products List.\nThus, the cards should have worked as designed. We have resubmitted our credentials to GSA\nand expect that they will meet Part 2 PIV II technical requirements.\n\nRecommendation 4\n\nWhen available, implement the necessary infrastructure that will support and control the use of a\ncompliant credential.\n\nComment\n\nWe agree. We have pilots underway and are actively pursuing the implementation of the\nrequired infrastructure. This process is expected to take at least 5 years and over\n$30 million to complete.\n\n\n\n[In addition to the comments above, SSA provided technical comments which have\nbeen addressed in this report.]\n\n\n\n                                               E-3\n\x0c                                                                      Appendix F\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\nKitt Winter, Director, Data Analysis and Technology Audit Division, (410) 965-9702\n\nAl Darago, Audit Manager, Application Controls, (410) 965-9710\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Harold Hunter, Auditor-in-Charge\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-14-07-27110\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"